Every now and then you run into a small discovery that you know you will ever need again in your life. This is where I throw together all of mine. Perhaps they come in handy for you too...

Wednesday, October 17, 2007

Configuring RTSPS (RTSP over TLS) in SoftGrid

One of the convenient features of SoftGrid is that all the streaming and management traffic can be encapsulated in a TLS tunnel. This is very useful if you want to make SoftGrid available through a webinterface or to internet users. Some documentation is available (MSKB930870) on how you should configure the RTSPS protocol on the SoftGrid server, but very little is said on how you should obtain a server certificate that SoftGrid can understand.

It turns out that SoftGrid requires a cert.pem and key.pem file, and cannot read Microsoft's PKCS#12 certificate stores (where multiple certificates and keys are stored in a single file). So how can you obtain a separate certificate and private key file if you only have a Microsoft Certification Authority in your enterprise? Here's how...

I. Preparing to request the certificate

First of all, you need to create a new certificate template that allows the exporting of private keys from a Microsoft certificate store. If you don't do this, you cannot separate the private key and the actual certificate that are stored in the single PKCS#12 file. An additional complication is that your certification authority need to be running Windows 2003 Enterprise Edition in order to allow for custom templates! If that is all set, do the following steps:

Open a MMC and open the Certificate Templates snap-in.

Rightclick the Webserver template and choose to duplicate it.

Change the following settings:

Template Display Name: Webserver (25 years and exportable)

Validity period: 25 years

Also make sure that on the Request Handling tab, the Allow private key to be exported checkmark is checked!

Save the template & exit this MMC.

Next, open the Certification Authory MMC on your CA server, and go to the Certificate Templates branch in the navigation tree on the left. Rightclick and select New template to issue.

Select the template you just created. Afterwards, restart the CA service.

Done! You have just created a new certificate template that allows the private keys of the (entire) certificate to be exported.

II. Requesting the certificate

On your SGVAS server (... you need to do this on every SoftGrid server!), navigate to the CA's certificate webpage, which is typically available at http://ca_hostname/certsrv.

There, select to request a new certificate, select advanced certificate request. Then, select the option to Create and submit a request to this CA..

Enter the following information:

Certificate Template: “Webserver (25 years and exportable)

Name: use the FQDN of your SGVAS server.

Ensure the Mark keys as exportable checkmark is checked.

Enable Store certificate in the local computer certificate store.

Attributes: can be used to specify additional hostnames for a particular server.

Follow this procedure to convert the PKCS#12 certificate to a separate private key and security certificate file:

Open a command prompt and go to the installation directory of OpenSSL (default is C:\OpenSSL).

Enter the following command (change the location of the input file sgvas.pfx and output file sgvas.pem as desired):

openssl pkcs12 -in sgvas.pfx -out sgvas.pem -nodes

You will be prompted for the import password, which is the private key password that you choose when exporting the certificate in the Microsoft management console.

Open the sgvas.pem file using a text editor like WordPad. Find the part that is enclosed by the BEGIN RSA PRIVATE KEY tags, and copy it entirely (including the begin/end declarations) to a separate file that you call key.pem. The resulting key.pem file should look like:

Back in the sgvas.pem file, find the part that is enclosed by the BEGIN CERTIFICATE declarations and copy it entirely (including the being/end declarations) to a separate text file that you call cert.pem. An example of how this file should look like:

Ensure that the files are deleted from all other locations to prevent compromising your security (the private key is not supposed to leak out!!)

Open the SoftGrid Management console, go to Server Groups and rightclick the SoftGrid server that the certificate was generated for. Add a new protocol (RTSPS) and fill out the certificate and security key values as follows:

where you use the password that you entered when exporting the key in the Microsoft Management console.

Modify all your OSD files to use RTSPS and port 332 instead of RTSP at port 554, i.e. replace all occurences of

rtsp://%SFT_SOFTGRIDSERVER:554/...

with

rtsps://%SFT_SOFTGRIDSERVER:332/...

Restart the SoftGrid server to enable RTSPS streaming at the server side.

That finishes the server-side configuration of enabling the RTSPS. Now do not forget to reconfigure your clients to use a Secure SoftGrid Virtual Application Server to let them use RTSPS.

Note: A bug in the SoftGrid client 4.1.0.56 breaks the TLS functionality in the client. You are thus forced to upgrade to 4.1 SP1 / 4.2 or roll back to the 3.x client if you want to use a TLS tunnel!

1 comment:

About Me

I work at an IT company called ThingTank, a subsidiary of the Xylos group. We focus primarily on Internet-of-Thing solutions combined with Artificial Intelligence (predictive analytics). My focus as a technology architect is constructing IoT solutions for our customers, with a personal focus on the devices - both the micro electronics and the programming - and the analytics - mostly predictive analytics using R or Python.